AQI: Advanced Quantum Infomation Lectue 2 (Module 4): Ode finding and factoing algoithms Febuay 20, 203 Lectue: D. Mak Tame (email: m.tame@impeial.ac.uk) Intoduction In the last lectue we looked at the quantum Fouie tansfom, which then led to the quantum phase estimation algoithm. The good news is that we e moe than halfway to Sho s algoithm! The bad news is that this bit gets athe technical... anyways, let s see how it goes. I ll stat by looking at the ode finding algoithm which is a cucial suboutine of Sho s factoing algoithm. The ode finding algoithm is sometimes also efeed to as Sho s algoithm because it can be used fo othe things apat fom just factoing. Ode finding algoithm (Sho s algoithm) What s an ode? Fo positive integes x and N, with x<nand no common factos, i.e. gcd(x, N) =, the ode of x modulo N is defined as the least positive intege such that x modn =. Thee ae two mathematical concepts hee that you ve pobably come acoss befoe, but just so we e on the same page, I ll give an example of each: The fist is the modulo opeation, mod. Fo 20 mod 5 = 5, we chop up the numbe 20 into chunks of 5 and take the emainde, which gives us 5. Othe vaiants you might see in the liteatue ae 20 (mod 5) = 5 and 20 5 mod 5. I won t be using any of these! The second is the geatest common diviso opeation, gcd. Fo gcd(5, 2) we have that x =5has the divisos/factos and 5, and N = 2 has the divisos, 3, 7 and 2. The geatest intege that is a common diviso of both is, theefoe gcd(5, 2) =. Going back to the definition of the ode, we have fo x =5and N = 2 the ode =6. This can be checked as 5 6 = 5625 and 2 744 = 5624, theefoe 5 6 mod 2 =. Ode finding is believed to be a had poblem on a classical compute: No algoithm is known to solve the poblem efficiently. By this I mean using esouces polynomial in the O(L) bits needed to specify the poblem. Hee, L = log 2 N is the numbe of bits needed to specify N. Howeve, we ll see in a moment how Sho found a way to do ode finding efficiently using a quantum compute.
Ode finding is just the quantum phase estimation algoithm applied to the unitay opeato U which acts as follows on the computational basis states: U y = xy mod N y {0, } L. () Note that fo N y 2 L we set U y = y to avoid complications to the outcomes fo y N. In this case as we know x and N (they e given to us) we know the fom of U and can hopefully constuct it efficiently somehow (see late). In ode to see moe closely the connection of ode finding to phase estimation we look at the eigenstates of U given by u s u s = e i x k mod N, 0 s. (2) Fo which one finds U u s = e i 2πs u s (see Appendix A). Thus we can use phase estimation to extact out ϕ s. But once we find ϕ how do we get? By choosing the fist egiste (the one that ends up with ϕ) as having t =2L ++log 2 (2 + 2 ) qubits we get ϕ as an appoximation of s/ accuate to 2L +bits (see the end of the phase estimation lectue). In this case s ϕ and since N 2 L we have so that 2 2L+ 2 2L+ 2 2 s ϕ 2 2. (3) Fom numbe theoy we know that if this inequality holds fo two ational numbes s/ and ϕ, then s/ will be a convegent of the continued faction fo ϕ. What s a continued faction? And what s a convegent? If a ational numbe x has a continued faction epesentation x = a 0 +, (4) a + a 2 + + an whee n is a finite intege and the a i ae integes. The convegents ae the ationals a 0,a 0 + a,a 0 +,... of which thee ae a total of n. If x<, then we set a a + 0 =0. If we have the numbe x = p/q, a 2 whee p and q ae L bit integes then we can find all the convegents using O(L 3 ) opeations classically (using the continued factions algoithm). Once we have all the convegents we have ou candidate s and values, whee s of ϕ and we can test if x mod N =. Summay (halfway!) ae the convegents A shot ecap befoe we go fowad: So fa we have that ode finding can be achieved by using the phase estimation algoithm which equies O(L 3 ) opeations to get the ode. Thee ae two main souces of ovehead in this:. We must be able to efficiently implement contolled-u 2j opeations fo phase estimation. 2. We must be able to efficiently pepae an eigenstate u s with nontivial eigenvalue. Note that in the phase estimation algoithm fom in the last lectue we ween t allowed to know U o u s. Now we can know U, but not u s othewise we d know aleady! 2
Modula exponentiation (ovehead ) The phase estimation algoithm does the following j u QP E j U j u egadless of u being an eigenstate. So we want z y z U z y = z U zt20 U z t 2...U z 2 t y via step of phase estimation cicuit = z x zt20 x z t 2...x z 2 t y mod N = z x z y mod N. (5) I ve witten out the tansfomation explicitly so we can see the logic opeation U z acting on the computational basis states and wok out how we might constuct it. Fom Eq. (5) the sequence of opeations used in the quantum phase estimation (step ) is equivalent to multiplying the contents of the second egiste by the modula exponential x z mod N, whee z is the content of the fist egiste. This can be done efficiently using O(L 3 ) gates as follows: Compute x 2 mod N classically, then squae the esult and mod it to get x 4 mod N, then cay on up to x 2t mod N. These values ae then used to cay out contolled multiplication on the second egiste y dependent on the value of z t, z t 2,...z espectively, as shown in the figue below fo z t : Then, we get the desied opeation by noting that Figue : Basic modula exponentiation unit. x z y mod N =((x zt20 mod N)(x z t 2 mod N)...(x z 2 t mod N)y) modn (6) Eigenstate pepaation (ovehead 2) Note that pepaing u s means we must know befoehand! This isn t possible... but we can use the fact that = u s. (7) The poof is given in Appendix B. So we can use t =2L ++log 2 (2 + 2 ) qubits in the fist egiste and pepae the second egiste in. Then fo each s in the ange 0 to, we get an estimate ϕ = s/ accuate to 2L +bits with s=0 3
pobability at least ( )/. Note that in pactice we don t need to measue the second egiste as the fist will always have one of the ϕ states in it ϕ s u s 2. (8) s=0 Thus, we can tace out (discad) the second egiste. Pefomance Thee ae some pefomance issues with Sho s ode finding algoithm. Ode finding can fail if:. Phase estimation gives a bad estimate to s/. This occus with pobability at most which can be made abitaily small with negligible incease in the size of the cicuit. 2. As thee is no contol ove which s we get, s and may actually have a common facto, so that the etuned by continued factions is a facto of and not itself! Fo a andomly chosen s it s vey likely that s and ae copime, i.e. gcd(s, ) =, and this doesn t happen. This is because the numbe of pimes less than is at least 2log 2 due to the Eule function. So the chance that s is pime (and theefoe copime) to is at least 2log 2 / = 2log 2 > 2log 2 N so if we epeat the algoithm at least 2log 2 N L times we ll get with high pobability a phase s / such that gcd(s, ) =and continued factions will poduce an as desied. Thee ae ae moe sophisticated methods to impove the efficieny of this based on feedback iteations. Summay The figue below summaises the ode finding algoithm. Figue 2: Summay of ode finding. We now have an algoithm fo ode finding that has a untime polynomial in the L bits (o qubits fo the quantum pat) needed to specify the poblem, i.e. O(L 3 ), and a space of O(L) bits (qubits). The best classical algoithm that can do this has a untime of O(e 64 9 L/3 log 2 L 2/3 ), which gows faste than any powe of L, i.e. it gows exponentially. Thus we have an exponential speedup! But what can we do with it?... 4
2 Factoing algoithm (also known as Sho s algoithm) Sho s factoing algoithm is based on the ode finding algoithm and allows one to efficiently facto numbes. This is quite a emakable esult given the context of the following poblem: Given the positive composite intege N, find two pime numbes p and q which when multiplied togethe equal it: N = pq. This poblem is believed to be intactable on a classical compute, with the best known algoithm being the geneal numbe field sieve algoithm, fo which the untime is given by O(e 64 9 L/3 log 2 L 2/3 ). Indeed, the secuity of RSA-based public key cyptosystems, the most widely used encyption method on the intenet and in the militay, ely on the hadness of this poblem. It tuns out that this factoing poblem is equivalent to the ode finding poblem, fo which we know we can solve efficiently using a quantum compute! In fact, the equivalence between ode finding and factoising is moe geneal than just factoing N = pq. Ode finding allows us to efficiently find all the factos fo a given numbe N. Howeve, fo the pesent discussion I ll limit this to the specific case of N = pq. The algoithm. Pick a andom x N that is copime to N. The pobability fo this to occu is 2log 2 N (see the ode finding section: pefomance issue 2). So we only have to epeat O(log 2 N)=O(L) times. 2. Use Sho s ode finding algoithm to get the ode fo which x mod N =. This has a untime of O(L 3 ). 3. Now suppose that is even and x /2 mod N =. The pobability fo this to occu is 2 if N is odd (which is tue as N = pq). Let y = x /2, which leads to (y 2 ) mod N =0as x mod N =. This gives (y + )(y ) mod N =0 (9) Now, (y ) mod N =(x /2 ) mod N = 0as x k mod N =, whee k = is the smallest k fo this to hold. This gives (y ) mod N = 0. (0) Fom the elation x /2 mod N = we also have (y + ) mod N = 0 () Due to Eqs. (0) and () we know that (y ) and (y+) ae not divisible by N = pq, but Eq. (9) tells us that thei poduct is. As p and q ae pime this can only happen if one of them, say p, divides (y ) and the othe, say q, divides (y + ). Take a look at Appendix C to see this. Now the only divisos of N ae p and q, and as they ae pime, we have that gcd(y,n)=p and gcd(y +,N)=q. So in summay, fo a given N = pq, once the ode is found fo a andomly selected x, we get y and we can find p and q by calculating the gcd of y and y +with N, which can be done using Euclid s algoithm with a untime of O(L 3 ). 5
Example Factoing 5:. Choose a andom numbe x<nthat has no common factos with N. Choose x =7. 2. Compute the ode of 7 mod 5 using the following cicuit Figue 3: Cicuit fo ode finding suboutine of factoing algoithm Conside the following input state 2 t 2 t k = 2 t [ 0 + + + 2 t ]. Use t = so that the eo pobability is at most /4. Compute f(k) =x k mod N putting the esult in the second egiste to give 2 t k x k mod N 2 t = 2 t [ 0 + 7+ 2 4+ 3 3+ 4 + 5 7+ 6 4+...]. Assume the second egiste is measued, obtaining, 7, 4 o 3. Note this is not necessay in geneal and just done hee to show the statistics of the outcomes. Say 4 is obtained (any esult woks), then the input state to the QFT is 4 [ 2 + 6 + 0 + 4 +...]. (3) 2t Applying QFT we get α with pobability distibution as shown below (2) Figue 4: Pobability distibution fo the output. 6
This give the states 0, 52, 024 o 536 each with pobability of /4. Note that t = so we can get up to 2 = 2048 fo. Suppose 536 is obtained, theefoe ϕ = 536 2048 =, which has the convegents (0,, 3 + 4 ). 3 Thus we have ou candidate s =3and =4. 3. By chance is even and x /2 mod N =7 2 mod 5 = 4 =, theefoe ou algoithm succeeded! So we compute gcd(x 2, 5) = 3 and gcd(x 2 +, 5) = 5. This gives the two pimes factos: 3 5 = 5. Refeences N. D. Memin, Quantum Compute Science: An intoduction, Cambidge Univesity Pess, Cambidge (2007). M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Infomation, Cambidge Univesity Pess, Cambidge (2000). P. W. Sho, Polynomial-Time Algoithms fo Pime Factoization and Discete Logaithms on a Quantum Compute, SIAM Rev. 4, 303 (999). J. Peskill, Quantum Infomation lectue notes, http://www.theoy.caltech.edu/people/peskill/ph229/#lectue (2004). The quantum algoithm zoo: http://math.nist.gov/quantum/zoo. C. Lomont, The Hidden Subgoup Poblem - Review and Open Poblems, axiv:quant-ph/04037 (2004). 7
Appendix A Hee, I show that u s fom Eq. (2) is an eigenstate of U: U u s = e = e U x k mod N x k+ mod N. = e (x(x k mod N)) mod N (4) I ve used a few ticks to go fom the fist to the second line in Eq. (4): Let a mod m = b and c mod m = d. This means that a = b+mj and c = d+mk. Thus we have that ac = bd+m(dj +bk +mjk) and theefoe ac mod m = bd mod m. (5) This means that (x(x k mod N)) mod N ((x mod N)(x k mod N)) mod N can be found to be equal to xx k mod N = x k+ mod N, by letting a = x, c = x k and m = N in Eq. (5). 2πs On the second line of Eq. (4) the k +state now has the phase of k s state, which diffes by e fo all k. So if we emove this we get back u s. Thus U u s = e i 2πs u s and we can use phase estimation to extact out s/. Appendix B Hee, I show that = s=0 u s. Taking the ight hand side we have: s=0 Now apply on this to give e e s=0 x k mod N = s=0 e x k mod N. (6) x k mod N = δ k0, (7) which gives an ovelap of, so that the state is. The last equality is tue because x k mod N, with k =, is the smallest nontivial intege k such that x k mod N =and as we sum ove integes <only the k =0 case gives a nonzeo esult Appendix C Let (y ) = u and (y + ) = v. Then fom Eq. (9) we have ((y + )(y )) mod N =0, which means that N uv. Hee, denotes divides by. This means that uv = kn (8) 8
fo some intege k. Now suppose that gcd(v, N) =, then by Bézout s identity (see below) we have integes m and n such that mv + nn =. (9) Fom Eq. (8) we have muv = mkn, which fom Eq. (9) gives u( nn) = mkn, which gives u unn = mkn, which gives u =(mk+un)n. Theefoe N u. Howeve, we have that (y ) mod N = 0, theefoe N u and theefoe gcd(v, N) =, which means gcd(y +,N) =. We can make a simila agument fo (y ), which leads to gcd(y,n) =. Thus, if N doesn t divide (y + ) we have gcd(y +,N) = and N must have a nontivial facto (common diviso) with both (y + ) and (y ). As N = pq is the only possible decomposition with p and q as the only divisos, we have that Bézout s identity p = gcd(y +,N) q = gcd(y,n) If a and b ae nonzeo integes with gcd of d, then thee exist integes x and y such that ax + by = d. (20) Fo a poof of this you ll need to check out a book on numbe theoy. Note that x and y can be -ve integes, whee one is +ve, the othe is -ve. 9